Federal agencies face accelerated patch deadlines after CISA ordered an immediate fix for CVE-2025-26399, a critical vulnerability in SolarWinds Web Help Desk that researchers say is being actively exploited. CISA also added two other bugs — including CVE-2026-1603 in Ivanti — to its Known Exploited Vulnerabilities catalog with shortened patch timelines amid reports of nation-state targeting. #SolarWindsWebHelpDesk #Ivanti
Keypoints
- CISA ordered federal civilian agencies to patch CVE-2025-26399 in SolarWinds Web Help Desk by Thursday.
- CVE-2025-26399 is the third patch iteration for a previously disclosed SolarWinds bug and has reported exploitation.
- This marks the third emergency directive in a month requiring immediate patches for SolarWinds Web Help Desk.
- CISA added two other exploited vulnerabilities, including CVE-2026-1603 affecting Ivanti, with two-week deadlines.
- Security firms report nation-state actors, including groups linked to China and Russia, repeatedly targeted Ivanti and SolarWinds products.
Read More: https://therecord.media/cisa-shortens-patch-deadline-ivanti-solarwinds